R1 配置命令

R1 配置命令

#
 sysname R1
 #
 acl number 3001
  rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 172.16.10.00.0.0.255
 #
 ipsec proposal tran1
 #
 ike proposal 10
 #
 ike peer ikep1 v2
  pre-shared-key simple 12345678
  ike-proposal 10
  peer-id-type ip
  nat traversal
  remote-address 222.1.1.2
 #
 ipsec policy vpn1 10 isakmp
  security acl 3001
  ike-peer ikep1
  proposal tran1
 #
 interface Ethernet0/0/0
  ip address 192.168.10.1 255.255.255.0
 #
 interface Ethernet0/0/1
  ip address 211.1.1.2 255.255.255.0
  ipsec policy vpn1
 #
 ip route-static 0.0.0.0 0.0.0.0 211.1.1.1
 #
 

R2配置命令

#
 interface Ethernet0/0/0
  ip address 211.1.1.1 255.255.255.0
 #
 interface Ethernet0/0/1
  ip address 222.1.1.1 255.255.255.0
 #
 

R3配置命令

sysname R3
 #
 acl number 3001
  rule 5 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.00.0.0.255
 #
 ipsec proposal tran1
 #
 ike proposal 10
 #
 ike peer ikep1 v2
  pre-shared-key simple 12345678
  ike-proposal 10
  peer-id-type ip
  nat traversal
  remote-address 211.1.1.2
 #
 ipsec policy vpn1 10 isakmp
  security acl 3001
  ike-peer ikep1
  proposal tran1
 #
 interface Ethernet0/0/0
  ip address 172.16.10.1 255.255.255.0
 #
 interface Ethernet0/0/1
  ip address 222.1.1.2 255.255.255.0
  ipsec policy vpn1
 #
 ip route-static 0.0.0.0 0.0.0.0 222.1.1.1
 #
 

检查VPN命令

[R1]dis ike sa v2
     Conn-ID  Peer           VPN   Flag(s)               Phase  
   ---------------------------------------------------------------
        72    222.1.1.2       0    RD|ST                 2     
        71    222.1.1.2       0    RD|ST                 1     
 
   Flag Description:
   RD--READY   ST--STAYALIVE   RL--REPLACED  FD--FADING   TO--TIMEOUT
   HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.  BCK--BACKED UP
 
[R1]dis ipsec sa 
 
 ===============================
 Interface: Ethernet0/0/1
  Path MTU: 0
 ===============================
 
   -----------------------------
   IPSec policy name: "vpn1"
   Sequence number  : 10
   Acl Group        : 3001
   Acl rule         : 5
   Mode             : ISAKMP
   -----------------------------
     Connection ID     : 72
     Encapsulation mode: Tunnel
     Tunnel local      : 211.1.1.2
     Tunnel remote     : 222.1.1.2
     Flow source       :192.168.10.0/255.255.255.0 0/0
     Flow destination  : 172.16.10.0/255.255.255.0 0/0
     Qos pre-classify  : Disable
 
     [Outbound ESP SAs] 
       SPI: 2314962465 (0x89fb8621)
       Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
       SA remaining key duration (bytes/sec): 0/2774
       Max sent sequence-number: 0
       UDP encapsulation used for NAT traversal: N
 
     [Inbound ESP SAs] 
       SPI: 20918216 (0x13f2fc8)
       Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
       SA remaining key duration (bytes/sec): 0/2774
       Max received sequence-number: 0
       Anti-replay window size: 
       UDP encapsulation used for NAT traversal: N
 
[R1]display ipsec sa brief 
 
 Number of SAs:0
     Src address     Dst address       SPI    VPN  Protocol     Algorithm
 -------------------------------------------------------------------------------
       211.1.1.2       222.1.1.2 2314962465     0    ESP   E:DES A:MD5-96
       222.1.1.2       211.1.1.2  20918216      0    ESP   E:DES A:MD5-96
 

问题反馈

电脑通信流量不加密

[R1] ping -a 192.168.10.1 172.16.10.1
   PING 172.16.10.1: 56  data bytes, press CTRL_C to break
     Request time out
     Request time out
     Request time out
     Request time out
     Request time out
 
   --- 172.16.10.1 ping statistics ---
     5 packet(s) transmitted
     0 packet(s) received
     100.00% packet loss